record: Fix OOB access in ProcRecordUnregisterClients

If a client sends a RecordUnregisterClients request with an nClients field larger than INT_MAX / 4, an integer overflow leads to an out of boundary access in RecordSanityCheckClientSpecifiers. An example line with libXtst would be: XRecordUnregisterClients(dpy, rc, clients, 0x40000001); Reviewed-by: Adam Jackson <ajax@redhat.com> (cherry picked from commit 40c12a76c2ae57adefd3b1d412387ebbfe2fb784)
author: Tobias Stoeckmann <tobias@stoeckmann.org> 2017-03-19 17:55:07 +0100
committer: Olivier Fourdan <ofourdan@redhat.com> 2017-09-22 18:45:59 +0200
commit: e23000d83f8dbab4effd9f344f3d776634a1d56e (patch)
tree: 1368a2452a1a80083edce2029da2ae06bae5c1df
parent: 3166138ea681537dbe164e2888ccb96bb022220b (diff)
1 files changed, 2 insertions, 1 deletions
diff --git a/record/record.c b/record/record.c
index 82bb0607e..600d55f53 100644
--- a/record/record.c
+++ b/record/record.c
@@ -1910,7 +1910,8 @@ ProcRecordUnregisterClients(ClientPtr client)
     int i;
 
     REQUEST_AT_LEAST_SIZE(xRecordUnregisterClientsReq);
-    if ((client->req_len << 2) - SIZEOF(xRecordUnregisterClientsReq) !=
+    if (INT_MAX / 4 < stuff->nClients ||
+        (client->req_len << 2) - SIZEOF(xRecordUnregisterClientsReq) !=
         4 * stuff->nClients)
         return BadLength;
     VERIFY_CONTEXT(pContext, stuff->context, client);
author	Tobias Stoeckmann <tobias@stoeckmann.org>	2017-03-19 17:55:07 +0100
committer	Olivier Fourdan <ofourdan@redhat.com>	2017-09-22 18:45:59 +0200
commit	e23000d83f8dbab4effd9f344f3d776634a1d56e (patch)
tree	1368a2452a1a80083edce2029da2ae06bae5c1df
parent	3166138ea681537dbe164e2888ccb96bb022220b (diff)